...making Linux just a little more fun!
By Edgar Howell
Quite some time ago, a friend mentioned IP Cop to me. At the time, it sounded interesting, but other things kept getting in the way. Now that I have had a chance to play with it a bit, it has become extremely interesting and will likely be a permanent player in my computing environment.
Whoops!
IP Cop?
What is that?
Well, it's a gateway, and a router, and a firewall, and does DHCP...
Actually, in essence, just about everything the small LAN needs
to connect safely to the untamed Internet.
Yep, set up IP Cop and you can forget /etc/hosts.
Who cares about IP-addresses, anyhow?
Firewall? Why?
IP Cop is your interface to the outside world and
has almost no services running - thus, little or almost nothing to attack.
Seriously, it is no substitute for caution and can't protect you from damage from within, trojans, viruses and the like. So let's look more closely at IP Cop and its installation and configuration and what it can do.
Essentially, as the name implies, IP Cop directs traffic at
an intersection without traffic lights - in this case, IP traffic.
It is a special-purpose Linux distribution that functions as
an interface between you, your internal network(s),
and the outside world - the Internet.
To the Internet, it has a very small profile, offering almost no services.
It also discriminates between your LAN (IP Cop terminology: green),
a possible WLAN (blue), and a DMZ (orange).
Oh, yeah, the Internet itself is - surprise! - red.
But it goes far beyond this.
Once you have IP Cop in your network, you can forget assigning
IP-addresses. Just tell it the address range to use and it will take over
that task dynamically. Well, if the PCs you attach to your network are
well-behaved enough to participate in DHCP (dynamic host configuration
protocol). Or you can easily do it by hand.
The IP Cop Installation Manual says that it can be done in about
15 minutes after you gather the required information.
This is correct... but by now, I can probably get a SuSE distribution
installed in not a whole lot more than that - blind-folded.
Unfortunately, never having done IP Cop before, it took me a little longer.
So please bear with me if in the following I go into a bit more detail than you might want. I certainly would have appreciated it and the guy next to you might.
IP Cop was designed to make use of modest resources to provide security. According to the installation manual it has been tested with a 386, 32 MB of RAM and 300 MB hard drive. In operation it requires neither keyboard nor monitor. And installation - as opposed to configuration - is equally minimalistic. Both keyboard and monitor are required but in text mode, probably only familiar to old DOS users.
Another consideration in your planning to install IP Cop is the fact that it takes over the entire hard drive. You will be warned and can cancel. IP Cop wants to be sole occupant and owner of the drive it lives on. But this is neat: a 4 GB drive is far more than it really requires and half that likely would be enough for a small LAN.
So here is what I went through during installation:
Current config: GREEN Done DHCP server configuration <space> (to enable) Start address: 192.168.1.1 End address: 192.168.1.30 <OK> root password root admin password admin setup is complete <OK>
This was enough to put IP Cop on the hard drive but it still requires a bit more information using text mode. So we log on as root and enter: setup. (In the following '[' and ']' indicate options on the screen that I ignored.)
[Keyboard mapping] [Timezone] [Hostname] [Domain name] ISDN configuration Protocol/Country Euro (EDSS1) [Set additional module parameters] ISDN card *AUTODETECT* AVM PCI/PNP (EXPERIMENTAL) Local phone number 02206608913 Enable ISDN Networking Network configuration Type GREEN (RED is modem/IDSN) [Drivers and card assignments] [Address settings] [DNS and Gateway settings]
At this point IP Cop was functional on the PC and could be pinged from other PCs on the network.
Besides offering almost no services outside, IP Cop strictly limits what root and admin can do. As root, one can log on to the PC on which IP Cop is running, but can only adjust a few things originally set up during the installation, as in ISDN vs modem and the like.
Administration takes place over the - now secure - network from another machine. So let's attach a notebook with SuSE 10 - as yet unused - and see what has to be done.
Since we haven't done anything about networking on this machine just yet, let's manually contact the DHCP server on IP Cop to get an IP-address and then check things out:
web@LohgoDell:~> su Password: LohgoDell:/home/web # dhcpcd -B LohgoDell:/home/web # ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:14:22:DF:EB:80 inet addr:192.168.1.30 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::214:22ff:fedf:eb80/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:346 (346.0 b) TX bytes:1814 (1.7 Kb) Interrupt:9 LohgoDell:/home/web # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default ipcop.lohgo 0.0.0.0 UG 0 0 0 eth0 LohgoDell:/home/web #
That looks really good, IP Cop even set itself up as the
default gateway! Now we can tell Mozilla to access IP Cop at
https://ipcop:445
so we can configure things:
Since we are sitting right next to the IP Cop machine, we know that the identity is correct and it's safe to permanently accept the certificate.
OK, no problem.
No problem there either.
The above is IP Cop's "home administrative window". Merely placing the
cursor over any of the boxes in the second of the two lines beginning with
"SYSTEM" produces a pop-down with relevant activities. To do anything
other than connect (dial) and disconnect (hang up) you will have to enter
the name and password of the administrator. My first order of business was
System|Backup
to save onto diskette what has been done so far.
Here's a little bit of what IP Cop put on the diskette.
At this point I went to Services|Proxy
and checked "Enabled on green" and
"Transparent on green". Remember that "green" is IP Cop terminology for
our LAN, which it is to protect from the rest of the world. Then on to
Services|Time Server
where I replaced "pool.ntp.org" with something more
reasonable:
Then under Network|Dialup
it was necessary to establish a
dialing profile and specify ISDN as the interface.
Under Reconnection
I checked "manual" and "Dial on Demand for
DNS", and under Authentication
I entered the user name and the
password for the provider.
At this point establishing a connection to the Internet was very easy: on the home administrative window click on "connect":
And now from another window on the notebook it was possible to "ping -c 3 www.google.com"! All without touching /etc/hosts or doing anything to set up a network other than executing dhcpcd.
Some of IP Cop's windows are too large to fit on the screen and require scrolling. This makes it easy to miss the "Save" and "Refresh" buttons at the bottom. Be sure to click on them when they are present or your changes will be quietly forgotten.
While you may want to select a different range of IP addresses for IP Cop to manage, it is otherwise a bad idea to change settings that deal with communication over the LAN. It is also a very bad idea to do that after initial configuration, since all administration takes place over a web interface on the network. If communication gets messed up, it may be impossible to repair. It isn't possible to do administration on the machine running IP Cop.
There is far more to IP Cop than what we have looked at here. It includes intrusion detection, numerous logs, traffic shaping and more.
At the moment I still have little experience with IP Cop but will be using it in the future. For the small office/home office (SOHO) it provides many benefits. My problem, as usual, was the documentation.
Not that it was lacking or meager. Essentially everything one needs to know was there. But it wasn't where I needed it!
I was reminded of a trip to a local bureaucracy a number of years ago. I looked at the signs, got in what I thought was the appropriate line, and when my turn came was told that I should be somewhere else. Yeah, the sign could mean that as well... but only to those used to that particular situation.
Bottom line: this software is really impressive, and the documentation includes the information you will need to install and configure and operate it. But - once again - navigating the documentation can be difficult.
Nonetheless, in the long run, for anyone with more than a two-machine installation, IP Cop should be well worth the effort.
Talkback: Discuss this article with The Answer Gang
Edgar is a consultant in the Cologne/Bonn area in Germany.
His day job involves helping a customer with payroll, maintaining
ancient IBM Assembler programs, some occasional COBOL, and
otherwise using QMF, PL/1 and DB/2 under MVS.
(Note: mail that does not contain "linuxgazette" in the subject will be
rejected.)